House hearing blasts Sony’s “half-hearted, half-baked” hack response

Sony didn't show up for Congressional data breach hearing this morning, but …

Despite suffering massivebreaches that made national news, neither Sony nor Epsilon showed up to a House hearing on data theft this morning—the predictable result of which was that both firms were just trashed in absentia.

Rep. Mary Bono Mack (R-CA), chair of the Subcommittee on Commerce, Manufacturing, and Trade, opened the hearing with a sustained attack on both companies. After saying that both Sony and Epsilon were also "victims," Bono Mack stopped sympathizing with the firms. And she made clear that she's no fan of using "a blog" for public disclosure of a breach:

But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits "enter"…

As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.

According to Epsilon, the company did not have time to prepare for our hearing—even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them…

Yet for me, the single most important question is simply this: Why weren’t Sony’s customers notified sooner of the cyberattack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony - as well as all other companies—have an overriding responsibility to alert them... immediately.

In Sony’s case, company officials first revealed information about the data breach on their blog. That’s right. A blog. I hate to pile on, but—in essence—Sony put the burden on consumers to "search" for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.

Panelists joined in. Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.

Without Sony or Epsilon present, much of the hearing focused on potential data protection legislation that would create some kind of process for auditing a company's data security measures to make sure they conform to best practices. Breach notification rules were also discussed, and the Federal Trade Commission pushed for Congress to give it civil penalty authority to go after companies that lose data through carelessness; in the last 10 years, the FTC has brought cases against 34 such companies, though it is currently limited in the penalties it can seek.

Can better standards really protect against such breaches? A Secret Service investigator at the hearing said that they could, adding that in his view, 96 percent of such breaches could have been avoided through straightforward, well-known security techniques. Sophisticated hackers do exist, of course, but they are rare. If companies can simply cut off script kiddie access to their systems, it will be a big step toward better data security.